Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP id PAA02319; Tue, 26 Sep 2006 15:31:58 -0400 (EDT) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id k8QJVI80029955; Tue, 26 Sep 2006 15:31:18 -0400 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id k8PN6mJx020144 for ; Mon, 25 Sep 2006 19:06:48 -0400 Received: from mit.edu (M24-004-BARRACUDA-1.MIT.EDU [18.7.7.111]) by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id k8PN6rER008715 for ; Mon, 25 Sep 2006 19:06:53 -0400 (EDT) Received: from bay0-omc3-s22.bay0.hotmail.com (bay0-omc3-s22.bay0.hotmail.com [65.54.246.222]) by mit.edu (Spam Firewall) with ESMTP id 60ABB13D503 for ; Mon, 25 Sep 2006 19:06:53 -0400 (EDT) Received: from hotmail.com ([64.4.51.31]) by bay0-omc3-s22.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 25 Sep 2006 16:06:52 -0700 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 25 Sep 2006 16:06:52 -0700 Message-Id: Received: from 64.4.51.220 by by107fd.bay107.hotmail.msn.com with HTTP; Mon, 25 Sep 2006 23:06:51 GMT X-Originating-Ip: [64.221.115.100] X-Originating-Email: [aberry0364@hotmail.com] X-Sender: aberry0364@hotmail.com From: "Arlene Berry" To: krb5-bugs@mit.edu Subject: des-cbc-md5 Date: Mon, 25 Sep 2006 23:06:51 +0000 MIME-Version: 1.0 Content-Type: text/plain; format=flowed X-Originalarrivaltime: 25 Sep 2006 23:06:52.0415 (UTC) FILETIME=[49AB60F0:01C6E0F7] X-Spam-Score: 0.12 X-Spam-Flag: NO X-Scanned-BY: MIMEDefang 2.42 X-Mailman-Approved-At: Tue, 26 Sep 2006 15:31:17 -0400 X-Beenthere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Sender: krb5-bugs-incoming-bounces@PCH.mit.edu Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu X-RT-Original-Encoding: iso-8859-1 Content-Length: 1370 For some time now I have noticed that if in krb5.conf you set default_tkt_enctypes and default_tgs_enctypes to a single value of des-cbc-md5, kinit fails with a KDC has no support for encryption type message. Remove it or add another encryption type and kinit succeeds. I am working with a third party kerberos/gssapi implementation, it receives the same error, and there is no workaround for it. In src/kdc/kdc_util.c there's a function dbentry_supports_etype which has a hardcoded return value of 0 if the enctype parameter is des-cbc-md5. The function which calls dbentry_supports_enctype is select_session_keytype also in kdc_util.c and it then returns 0. The function which calls select_session_keytype is process_as_req in src/kdc/do_as_req.c and it then sets the KRB5KDC_ERR_ETYPE_NOSUPP error and creates the error message for the client. I commented out the hardocded return 0 for des-cbc-md5 in dbentry_supports_enctype, and then everything seemed to work. The code takes this same path with both kinit and the third party kerberos implementation. I happen to have my KDC configured for only the des-cbc-md5 enctype but I have seen the error message in the past when using multiple enctypes. _________________________________________________________________ Get today's hot entertainment gossip http://movies.msn.com/movies/hotgossip